The Instance Metadata Service should not be available through IMDSv1
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | HIGH | AWS | DATA, PERMISSION |
Description
Amazon EC2 Instance Metadata Service is an on-instance component that EC2 instances use to access instance metadata.
There are two versions of the protocol that allow to access IMDS: IMDSv1 and IMDSv2. IMDSv1 should be disabled, as it has not been hardened against accidental exposure on the public internet. IMDSv2 introduced session based authentication. An app can start a session by sending an HTTP PUT request to IMDSv2. This protects against exploitation using SSRF/XXE vulnerabilities present inside the EC2 instance.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | False |
An attacker could access Instance Metadata to breach applications in EC2 instances.
Remediation guidelines
There are two possibilities for remediation:
- Disable IMDS entirely if it's not needed.
- Transition from IMDSv1 to IMDSv2 by setting the
http_tokensvariable to "required" in themetadata_optionsblock in the IaC configuration.
References
Was this page helpful?
